qemu/ati-vga-check-mm_index-before-recursive-.patch

From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 4 Jun 2020 14:38:30 +0530
Subject: ati-vga: check mm_index before recursive call (CVE-2020-13800)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Git-commit: a98610c429d52db0937c1e48659428929835c455
References: bsc#1172495, CVE-2020-13800

While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Message-id: 20200604090830.33885-1-ppandit@redhat.com
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/display/ati.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/display/ati.c b/hw/display/ati.c
index 58ec8291d4601b70720fa1484f88..9228f1b242bb7b141eb50a19e12b 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
             if (idx <= s->vga.vram_size - size) {
                 val = ldn_le_p(s->vga.vram_ptr + idx, size);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
             if (idx <= s->vga.vram_size - size) {
                 stn_le_p(s->vga.vram_ptr + idx, size, data);
             }
-        } else {
+        } else if (s->regs.mm_index > MM_DATA + 3) {
             ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
         }
         break;
     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
Accepting request 822154 from home:bfrogers:branches:Virtualization - Updating to Sphinx v3.1.2 in Factory is exposing an issue in qemu doc sources. Fix it docs-fix-trace-docs-build-with-sphinx-3..patch - Fix DoS possibility in ati-vga emulation (CVE-2020-13800 bsc#1172495) ati-vga-check-mm_index-before-recursive-.patch - Fix DoS possibility in Network Block Device (nbd) support infrastructure (CVE-2020-10761 bsc#1172710) nbd-server-Avoid-long-error-message-asse.patch - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386) exec-set-map-length-to-zero-when-returni.patch - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) megasas-use-unsigned-type-for-reply_queu.patch - Fix legacy IGD passthrough hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch - The latest gcc10 available in Factory has the fix for the issue this patch was created to avoid, so drop it build-Work-around-gcc10-bug-by-not-using.patch - Switch to upstream versions of some patches we carry add-enum-cast-to-avoid-gcc10-warning.patch -> golan-Add-explicit-type-casts-for-nodnic.patch Be-explicit-about-fcommon-compiler-direc.patch -> build-Be-explicit-about-fcommon-compiler.patch Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch -> build-Do-not-apply-WORKAROUND_CFLAGS-for.patch Fix-s-directive-argument-is-null-error.patch -> build-Fix-s-directive-argument-is-null-e.patch Workaround-compilation-error-with-gcc-9..patch -> build-Workaround-compilation-error-with-.patch work-around-gcc10-problem-with-zero-leng.patch -> intel-Avoid-spurious-compiler-warning-on.patch - Fix vgabios issue for cirrus graphics emulation, which effectively downgraded it to standard VGA behavior vga-fix-cirrus-bios.patch - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) es1370-check-total-frame-count-against-c.patch OBS-URL: https://build.opensuse.org/request/show/822154 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=553 2020-07-22 06:19:22 +02:00			`From: Prasad J Pandit <pjp@fedoraproject.org>`
			`Date: Thu, 4 Jun 2020 14:38:30 +0530`
			`Subject: ati-vga: check mm_index before recursive call (CVE-2020-13800)`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Git-commit: a98610c429d52db0937c1e48659428929835c455`
			`References: bsc#1172495, CVE-2020-13800`

			`While accessing VGA registers via ati_mm_read/write routines,`
			`a guest may set 's->regs.mm_index' such that it leads to infinite`
			`recursion. Check mm_index value to avoid such recursion. Log an`
			`error message for wrong values.`

			`Reported-by: Ren Ding <rding@gatech.edu>`
			`Reported-by: Hanqing Zhao <hanqing@gatech.edu>`
			`Reported-by: Yi Ren <c4tren@gmail.com>`
			`Message-id: 20200604090830.33885-1-ppandit@redhat.com`
			`Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>`
			`Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>`
			`Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>`
			`Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>`
			`Signed-off-by: Bruce Rogers <brogers@suse.com>`
			`---`
			`hw/display/ati.c \| 10 ++++++++--`
			`1 file changed, 8 insertions(+), 2 deletions(-)`

			`diff --git a/hw/display/ati.c b/hw/display/ati.c`
			`index 58ec8291d4601b70720fa1484f88..9228f1b242bb7b141eb50a19e12b 100644`
			`--- a/hw/display/ati.c`
			`+++ b/hw/display/ati.c`
			`@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)`
			`if (idx <= s->vga.vram_size - size) {`
			`val = ldn_le_p(s->vga.vram_ptr + idx, size);`
			`}`
			`- } else {`
			`+ } else if (s->regs.mm_index > MM_DATA + 3) {`
			`val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);`
			`+ } else {`
			`+ qemu_log_mask(LOG_GUEST_ERROR,`
			`+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);`
			`}`
			`break;`
			`case BIOS_0_SCRATCH ... BUS_CNTL - 1:`
			`@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,`
			`if (idx <= s->vga.vram_size - size) {`
			`stn_le_p(s->vga.vram_ptr + idx, size, data);`
			`}`
			`- } else {`
			`+ } else if (s->regs.mm_index > MM_DATA + 3) {`
			`ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);`
			`+ } else {`
			`+ qemu_log_mask(LOG_GUEST_ERROR,`
			`+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);`
			`}`
			`break;`
			`case BIOS_0_SCRATCH ... BUS_CNTL - 1:`